Bloomberg Law: Privacy & Data Security brings you single-source access to the expertise of Bloomberg Law’s privacy and data security editorial team, contributing practitioners,...
By Richard Cumbley and Peter Church, of Linklaters LLP, London. Peter Church is a member of the World Data Protection Report Editorial Board.
Google's relationship with EU privacy regulators is currently fairly fractious, but the company will take some comfort from a recent positive opinion from the Advocate General in a crucial case currently before the European Court of Justice, Google v AEPD (C-131/12).
The case arose out of an individual's request that information about him be removed from Google's search engine. It poses three important questions:
• What is the territorial scope of the EU privacy laws?
• Do they apply to “intermediaries” such as Google?
• Do they provide a “right to be forgotten”?
The key finding in the opinion is that, while U.S.-based Google Inc. is subject to EU data protection laws, it is only partly responsible -- i.e., only partly a data controller -- in respect of personal data contained in, or referenced by, its search engine.
This conclusion appears to be driven by policy considerations and the difficulties in reconciling the broad and antiquated EU data protection laws with the modern world of the internet. It raises uncomfortable questions about whether the 1995 EU Data Protection Directive (95/46/EC) (the Directive) is still fit for purpose.
The Advocate General's opinion, which was published June 25, 2013, is not binding on the European Court of Justice, but is often followed in practice. The Court is expected to give its ruling either later this year or early next year.
The dispute dates to a newspaper report in 1998 about the financial difficulties of a Mr Mario Costeja González. An electronic copy of the report was subsequently placed on the newspaper's website and indexed by Google's search engine.
In 2009, Mr Costeja asked the newspaper to remove the publication, as it was old and irrelevant. The newspaper refused to do so, so Mr Costeja asked Google to remove that publication from its search engine. When Google also refused, he complained to the Spanish data protection authority, the Agencia Española de Protección de Datos (AEPD).
The AEPD found that the report was part of the public record and so the newspaper did not have to remove it from its site. However, the AEPD ordered Google to remove a link to the publication from its search engine. Google appealed to the national courts, which, in turn, referred the matter to the European Court of Justice.
The reference relates only to Google's acquisition and indexation of personal data from the internet. It does not relate to the processing of personal data about users of Google's search engine and other services, although, given the current enforcement action by French and UK data protection authorities and others against Google, these issues may also come before the European Court of Justice in due course.
The first question relates to the territorial scope of EU data protection laws, an increasingly important issue given the transnational delivery of services across the internet, particularly by large U.S.-based technology companies. In general terms, a data controller will be subject to the data protection laws of a particular EU Member State if it is either established in that Member State or is not established in the European Union but uses equipment in that Member State.
The analysis here was complicated by the fact that Google's search engine is operated solely by California-based Google Inc. The only presence Google has in Spain is a subsidiary, Google Spain SL, which is only involved in promoting and selling advertising space on the search engine.
The opinion considered a number of different arguments as to why Google Inc., as operator of the search engine, should be subject to Spanish data protection laws. These include that:
• Google uses webcrawlers and robots to locate and index information contained on Spanish webservers. It was argued that this was a use of equipment located in Spain, which engages Spanish jurisdiction under Article 4(1)(c) of the Directive. The opinion does not consider this issue in any detail, although, from a technical perspective, it seems to be based on a mistaken assumption that the crawlers and robots have some physical presence that moves around the internet; and
• The “centre of gravity” of the current dispute is in Spain, so Spanish data protection laws should be applied on the basis of Article 8 of the EU Charter of Fundamental Rights (rights to data protection). This attempt to rewrite the Directive was firmly rejected.
However, the Advocate General considered that Google Inc. had an establishment in Spain because its Spanish subsidiary, Google Spain SL, promoted and sold advertising space, and this was sufficient to make it subject to Spanish data protection laws (Article 4(1)(a) of the Directive). Google Inc. and Google Spain SL were an “economic operator [that] must be considered as a single economic unit”. This conclusion is possible in light of other EU jurisprudence on the concept of establishment, although one might normally expect greater analysis of the application of these principles in this case, for example, some analysis of the scope of operations of the Spanish subsidiary or its ability to act independently from Google Inc.
In addition, while data protection laws apply to an establishment in an EU Member State, this is limited to personal data processed in the “context of the activities of [that] establishment”. Given that the only processing conducted by Google in Spain was limited to sales and marketing, it is not immediately clear why other processing conducted outside that territory, i.e., the operation of the search engine itself, should also be caught.
It is hard to avoid the conclusion that this finding is based partly on policy considerations, as in other areas of the opinion. It is also arguably unnecessary. Google does in fact have data centres in Belgium and Finland. This constitutes use of equipment in those jurisdictions and would appear to make Google's search engine subject to Belgian and Finnish data protection laws. It is not clear why Mr Costeja could not simply make his complaint under those laws rather than have to rely on Spanish data protection law.
In any event, if the opinion is followed by the European Court of Justice, it raises a range of interesting questions about the country of origin principle in the Directive. Are parent companies generally subject to dual establishment in all of the jurisdictions in which they have subsidiaries? For example, might a parent company have to comply with multiple, and potentially conflicting, national data protection laws and also make local notifications?
It could also undermine the approach taken by other U.S. tech companies which have established themselves in EU Member States with “business friendly” privacy laws. For example, Facebook established its main EU operations in Ireland, in part, so that it would have to consider only Irish data protection law (see, for example, report at WDPR, May 2013, page 23). However, Facebook also has local sales and marketing operations around the European Union, so its main EU operations could presumably also have multiple establishments across the European Union for data protection purposes.
Finally, these difficulties provide some context for the extraterritorial provisions in the European Commission's proposed General Data Protection Regulation to replace the Directive (see analysis at WDPR, February 2012, page 4). These would clearly capture U.S. internet businesses providing goods or services into the European Union or monitoring consumer behaviour, regardless of whether or not those businesses have an EU-based subsidiary. The position in the draft Regulation has been pushed for by many privacy advocates out of fear that internet businesses such as Google search were not caught by the current Directive. If that is no longer the case -- at least in the case of Google and its ilk -- one key driver for the need for the new Regulation may no longer exist.
Having found that Google Inc. was within the territorial scope of Spanish data protection laws, the next question was whether it was within the substantive scope of those laws. The question is essentially whether search engines such as Google Inc. are responsible -- i.e., data controllers -- in respect of personal data in their search engines.
Before answering that question, the Advocate General made some wider observations about EU data protection laws. His conclusions, although perhaps not surprising, create significant uncertainty about the operation of the law. He concludes:
• When the Directive was passed in 1995, use of the internet was limited and search engines were in a nascent state. The development of the internet into “a comprehensive global stock of information which is universally accessible and searchable was not foreseen by the Community legislator”;
• The Directive was given a wide scope of application when it was enacted to capture the range of technological developments at that time. However, its potential scope of application is now “surprisingly wide” and will potentially apply to “anyone today reading a newspaper on a tablet computer or following social media on a smartphone” to the extent that it applies outside their purely private capacity; and
• This broad scope requires the European Court of Justice to “apply a rule of reason … the principle of proportionality, in interpreting the scope of the Directive in order to avoid unreasonable and excessive legal consequences”.
With these factors in mind, the Advocate General had to evaluate whether Google is a data controller on the basis that it determines “the purposes and means of the processing of personal data” in its search engine (Article 2(d) of the Directive).
The opinion considers that Google is not a data controller in respect of the personal data it refers to on third party websites, provided that it takes certain minimum steps in respect of that data, such as regularly updating cached content in its servers and not indexing content from sites with search engine exclusion codes. This is on the basis that Google is not “aware” of the actual personal data on those third party websites, nor is it intending to process that personal data in any “semantically relevant way”.
In coming to this conclusion, the opinion warns the Court against the “irrational nature of the blind literal interpretation of the Directive” which makes “virtually everybody owning a smartphone or a tablet” a data controller. It also states that making Google a data controller of this information would mean that it would be impossible for it to comply with data protection laws, because of the restrictions on processing sensitive personal data (which would inevitably be included in some third party websites).
However, Google is a data controller in respect of the “index of the search engine”. Google's processing of the index is compatible with the Directive because it constitutes the pursuit of a legitimate interest (Article 7(f) of the Directive), and its data quality duties in respect of accuracy, excessiveness, etc. (Article 6 of the Directive) are limited to accurately reflecting the content of the underlying website. In this respect, the processing should be seen as the “provision of information location services” and “not an issue relating to the content of the source websites”.
This approach is pragmatic, but, as a piece of judicial law-making, raises a number of concerns.
Firstly, the Advocate General suggests his approach is not consistent with the literal interpretation of the Directive. Neither is it likely to be consistent with the purposive interpretation, given that the Directive was deliberately drafted to be as wide as possible. Instead, it appears to be an attempt to rewrite the laws on pure policy grounds through the creation of a new exemption for intermediaries such as Google that perform “entirely passive and intermediary functions”.
Secondly, Google's search index is effectively a distillation of the information from those third party websites, and so, substantively, will contain nearly all of the same personal data. Some of that personal data in the index will also be sensitive, so what is the justification under the Directive for its processing by Google? If Google might struggle to establish grounds for processing sensitive personal data in its cache of website pages, it will equally struggle to do so in respect of its index.
Thirdly, there is a great deal of uncertainty about the new concepts of “awareness” and “intention” in determining if someone is a data controller, and it is not clear if they are really needed. The concepts assist the Advocate General to conclude that Google is not a data controller in respect of personal data referenced on third party websites. It might be easier to conclude that Google is not a data controller on the simple basis that it has no control over the data's content, or the purpose for which it is processed.
The final question is whether the Directive already contains a “right to be forgotten” based on the right to erasure and blocking of data under Article 12(b) and the right to object to processing under Article 14(a).
The Advocate General's opinion is no. The right to erasure and blocking of data under Article 12(b) is more relevant to incomplete or inaccurate data, and there was no suggestion in this case that the newspaper report on Mr Costeja was not entirely true and accurate. Moreover, the right to object under Article 14(a) arises where there are compelling legitimate grounds. The desire of a data subject to restrict or terminate the dissemination of true and accurate public information on the grounds that it is harmful or contrary to his interests does not satisfy this condition.
This conclusion is supported -- in the Advocate General's view -- by the presence in the Commission's proposed General Data Protection Regulation of an express right to be forgotten. That right has met considerable resistance, and arguably has been so watered down in the latest versions of the Regulation as to have little practical effect. Still -- in the Advocate General's view -- it is more than a codification of existing law, and instead is a legal “innovation”.
The Advocate General took comfort from his view that the Charter of Fundamental Rights did not require the creation of any such right to be forgotten either. While Article 8 of the Charter guarantees a right to the protection of personal data, this must be balanced against the rights of freedom of expression and freedom of information in Article 11 of the Charter.
Finally, the opinion warns against trying to deal with this issue on a case-by-case basis. Search engines could not be expected to carry out any substantive review of every individual request to remove material from their results, and so would be likely to automatically withdraw that material instead. This would result in the suppression of legitimate and legal information which would conflict with, amongst other things, the important educational and historical value of this information (as recognised by the European Court of Human Rights in cases such as Times Newspaper v UK, Applications 3002/03 and 23676/03).
There are powerful arguments that a right to be forgotten risks the “falsification of history”, but it is also important to note that this was not a borderline case. For example:
• There was no question that the information about Mr Costeja was correct;
• The underlying publisher was subject to Spanish data protection law. The AEPD had reviewed the matter and concluded that the newspaper was not required to remove the material from its website, as it was part of the public record; and
• The information was not particularly personal. For example, it did not reveal any sensitive personal information about Mr Costeja.
At the other extreme, it is easy to imagine a situation in which false, or deeply sensitive, personal information is hosted on a server based in a territory which has little respect for privacy rights and where the only real remedy of the affected individual is for links to that information to be removed from the search engines. Ultimately, the conclusion may still be that freedom of expression trumps protection of privacy, but the matter should be tested against a more challenging scenario.
The issues of territoriality, material application and the right to be forgotten are all interesting. The Advocate General's opinion on these points is not binding on the European Court of Justice, and, while it is normally followed in practice, there are reasons why the Court might not want to do so in this case.
For example, the Court might:
• conclude that Google's search engine is not “established” in Spain and not otherwise subject to Spanish data protection laws. This finding could also provide fresh impetus to finalise the General Data Protection Regulation, which contains express extraterritorial provisions that would apply to Google's search engine; or
• find that Google is a data controller in respect of both its search index and the contents of the information referenced by that search index -- i.e., reject the opinion's suggestion that Google is, in part, not a data controller because it is not “aware” of and does not “intend” to process personal data referenced by its searches. This would not suddenly require Google to remove the publication about Mr Costeja, given the opinion's recommendation that there should be no “right to be forgotten” in these circumstances. It would raise the question of how Google justifies its processing of sensitive personal data, but this is a problem affecting all data controllers, and it is not clear why this case justifies redefining core concepts such as that of a data controller.
A more important question raised by the opinion is whether the Directive is still fit for purpose. It was intentionally drafted in broad terms, with concepts such as “personal data” capturing almost any information about identifiable individuals and “processing” capturing almost any conceivable operation of personal data.
This sits uneasily with the internet age, in which most individuals have access to computers, smartphones, the internet and social media. The opinion suggests that we have a law that is so broad and all-encompassing that it can no longer provide sensible conclusions on the basis of either a literal or, possibly, a purposive interpretation, and instead must be interpreted on some form of “super-purposive” basis using broad policy considerations.
It is difficult to see how organisations can be expected to comply with these laws where their interpretation is necessarily driven by unpredictable and subjective policy-based considerations. The opinion itself states in relation to the jurisdictional question: “it is no wonder that data protection experts have had considerable difficulty in interpreting [the Directive] in relation to the internet”.
One of the consequences of “super-purposive” interpretation is that it moves so far from the original text -- drafted and negotiated painstakingly by legislators -- that it risks unintended consequences. For example, if the concepts of “awareness” and “intention” from the opinion are adopted, they will create new problems for determining if someone is a data controller. Maybe other organisations, besides Google, that store large amounts of personal data but have no intention of looking at it themselves might also no longer be data controllers, no longer subject to data security obligations or fair use requirements -- for example, internet service providers capturing email traffic for government authorities?
Many would agree with the Advocate General's obvious distrust of the current Directive. But if we have learnt anything in privacy over the last few years, it is that law made in haste makes matters worse. The opinion suggests that we need a fresh approach to EU privacy laws, but more than anything what we need is a fresh approach that will stand the test of time.
The full text of the Advocate General's opinion can be accessed at http://curia.europa.eu/juris/documents.jsf?num=C-131/12.
Richard Cumbley is a Partner and Peter Church is an Associate with Linklaters LLP, London. Peter Church is also a member of the World Data Protection Report Editorial Board. They may be contacted at firstname.lastname@example.org and email@example.com.
Notify me when updates are available (No standing order will be created).
Put me on standing order
Notify me when new releases are available (no standing order will be created)